Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.
Vistas Mail Client will execute any executable file if a folder exists with the same name.
For example the victim has a folder in C:\ named blah and a batch script named blah.bat
also in C:\. Now if the victim clicks on a link in the email message with the URL target
set to C:\blah the batch script is executed without even asking.
There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd
(and also a folder named winrm inside System32).

Exploit:
Send a HTML email message containing the URL:
<a href="c:/windows/system32/winrm?">Click here!</a>
or
<a href="c:/windows/system32/migwiz?">Click here!</a>
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.

I could not pass arguments to winrm (hehe this would be beautiful), but I guess there
are several attack vectors.